This detection rule identifies DNS requests aimed at domains associated with Cloudflared tunnels, which have been exploited in the wild for establishing reverse shells and maintaining persistence on compromised machines. Attackers may utilize these tunnels to bypass traditional security measures and communicate with command and control (C2) servers without detection. By monitoring DNS queries that end with certain Cloudflared domains, security teams can highlight unusual or unauthorized tunnel usage. The rule is particularly focused on the following domains: .v2.argotunnel.com, protocol-v2.argotunnel.com, trycloudflare.com, and update.argotunnel.com. However, it is important to note that legitimate activities involving Cloudflare tunnels may also trigger this detection, presenting a potential for false positives that need to be evaluated during incident response processes.